Personal Privacy in an Information Society. Control Over the Collection of Information


FERPA seeks to minimize intrusiveness in several ways. It requires educational institutions that collect and maintain records about students to pay due regard to the "appropriateness" of information and the privacy rights of students. Currently, the only tool for enforcing it is the right of the student or his parent to inspect and challenge the contents of records. Although FERPA specifically requires the DHEW Secretary to issue regulations to protect the privacy of students and their families in connection with any surveys or data-gathering activities conducted, assisted, or authorized by an administrative head of an educational agency, the regulations have never been issued.

As the first section of this chapter indicates, intrusiveness in elementary and secondary schools is a serious problem, not only of surveys but also in the routine creation of records on students. An individual has little control over data collected directly from him, generated from observations of his behavior, or created by analysis of his student record. Yet FERPA does not address such collection and recording of information.

Reliance on access and correction as a remedy for intrusiveness has several deficiencies. Access and correction are at best remedial, not preventive, and do not address the problem of stigmatization. Parents are not and could not be notified of every entry made in the record of a student, so that substantial harm can be done before they can request correction of stigmatizing information. A student is stigmatized less by a particular item of information than by the composite impression the record as a whole conveys, which makes it difficult for parents to determine which items should be corrected or amended. An addendum to the record giving the student's or parent's side of the story seldom repairs damage to a student's reputation.

In addition, individual access to a record and the right to request that it be corrected cannot lead to preventive action in a highly decentralized system unless specific abuses are either concentrated in one location or are prevalent. If a serious abuse occurs only rarely, steps to prevent its recurrence may be taken only at the location where the abuse occurred, not throughout a system.

Intrusiveness is a problem of information collection. It is simply not realistic for students and parents to exercise control over what information is collected, but it is realistic for institutions to establish standards of propriety and relevance. Adequate standards not only minimize intrusiveness, but provide a context in which the individual can effectively exercise his right to challenge the content of a record, and thereby help the institution to maintain and improve its standards.

Intrusive surveys and other data collection activities are a major problem. Students are a captive population and as such are vulnerable not only to intrusive questioning but also to dangers that arise simply from too much questioning. As pointed out earlier, individuals in component units of decentralized systems often have the autonomy and incentive to authorize or engage in surveys and other data-collection activities. Part of the reason that DHEW has been slow to issue regulations applicable to these activities is that the Department has already promulgated regulations to protect the rights of all human research subjects [45 C.F.R. 46 et seq.] and is now in the process of revising them. Nevertheless, the regulations covering human research subjects apply only to DHEW funded activities, and leave to the data collector rather than the educational institution the responsibility of defining the interest of the individual in that research.

Although most of the data-collection activities in schools are sponsored by the Federal government, and the organizations carrying them out are covered by the research on human subjects regulations, some are not. Moreover, what the researcher, educator, and parent might consider appropriate may differ substantially. Parental complaints about intrusive surveys and other data-collection activities were one reason for the enactment of FERPA;31 yet intrusive data-collection activities continue, notwithstanding DHEW's regulations regarding research on human subjects.

In post-secondary institutions, intrusiveness is not a major problem either in routine record keeping or in special data-collection activities. The organization and management of information by purpose and the comparatively clear standards for the content of records are important protections in themselves. The admissions process does, however, pose intrusiveness problems by virtue of the fact that FERPA places no obligation on an institution to establish standards of relevance and propriety with regard to the information collected and used in the admissions process, or to inform the applicant of the types of information that will be collected about him, and also by virtue of the fact that FERPA allows admissions records containing highly subjective information about him to be kept secret. [20 U.S.C. 1232g(a)(6), (a)(B)(ii) and (iii); 45 C.F.R. 99.12(2) and (3)]

Another intrusiveness danger arises in institutions that have law enforcement or campus security units that engage in investigative activities. FERPA tries to build a wall between the records maintained by such a unit and those maintained by the rest of the educational institution. It does so by exempting the records of a law enforcement unit from the FERPA access and correction requirements, provided the law enforcement unit's records are used and disclosed solely for law enforcement purposes, and the law enforcement unit does not have access to education records. [20 U.S.C 1232g(a)(4)(B)(ii); 45 C.F.R. 99.3] This creates a problem because some of the information a law enforcement unit collects can be useful in maintaining school order and discipline. Yet, if a law enforcement unit shares such information with other school officials, even on a limited basis, all of its records must be open to student or parent access and no record maintained by the unit could be shared with local law enforcement agencies without student or parent consent, even though it could be disclosed and used widely within the educational institution. Most importantly, FERPA imposes no requirement that standards of appropriateness, relevance, or accuracy for such information be established and the Commission has found that the current statute in fact encourages a law enforcement unit to share information surreptitiously with other components of an educational institution.32